Webpack-dev-server: Vulnerability in child dependency for yargs
- Operating System: Windows 10, Linux, macOS
- Node Version: 12.16.1
- NPM Version: 6.13.4
- webpack-dev-server Version: 3.9.0
Browser: all
[X] This is a bug
- [ ] This is a modification request
Expected Behavior
webpack-dev-server uses [email protected] that has a child dependency (yarg-parser) that contains a known vulnerability. The vulnerability has been patched in and updated in yargs@>13.0.0.0.
For Bugs; How can we reproduce the behavior?
The reproduction steps are available on the vulnerability disclosure.
chillheart
👍15
All 4 comments
Fixed in deps
alexander-akait
on 14 Apr 2020
@evilebottnawi Where was this updated? The latest yargs in the master branch is still 12.0.5:
I also checked the next branch but that seems like it's unused...
karlhorky
on 17 Apr 2020
👍4
There is a try to fix this vulnerability here #2249
However there is some blur on it really exist or not.
fturib
on 21 Apr 2020
This needs to be opened back up. This has not been resolved: https://nvd.nist.gov/vuln/detail/CVE-2020-7608
nathanBrenner
on 18 May 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
hnqlvs
路
3Comments
nikirossi
路
3Comments
wojtekmaj
路
3Comments
adiachenko
路
3Comments
Jack-Works
路
3Comments
Most helpful comment
@evilebottnawi Where was this updated? The latest
yargsin themasterbranch is still12.0.5:https://github.com/webpack/webpack-dev-server/blob/0e9bffbc9617dcc702aad72df77feaa5d1ff58ad/package.json#L71
I also checked the
nextbranch but that seems like it's unused...